Breadcrumbs

Botnet Using Twitter

Last Updated on Saturday, 27 March 2010 11:03Written by DarkKnightH20Saturday, 15 August 2009 03:13

This is definitely to be expected. As I made apparent in my DDoS text, botnets are very flexible in the way that they can be controlled and that they’re only limited by the creator’s creativity. The article can be read at Arbor Networks, but I’ll provide an excerpt for those who have only the slightest bit of time to read or no interest–

While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.

The article continues to go on to show some messages were base64 encoded, PKZIP was used, and the exes were packed with UPX (highly detectable packer that leaves a signature in the exe and is just overall popular and therefore easily unpacked]). Using Twitter was an interesting (but bad) idea, but this isn’t as “omg” as people think. Tagboards can be used, forums can be used, irc servers — basically any website that allows for the public posting of informaton with little (to no) moderating. This Twitter botnet was easy to find because of the suspicious page setup. If being anonymous is key to someone, then using something way less public with a high difficulty to put two-in-two together is essential.

This entry was posted on Saturday, August 15th, 2009 at 3:13 PM and is filed under Security.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.